Security Experts:

Connect with us

Hi, what are you looking for?


Risk Management

CyberGRX Partners With BitSight to Address Supply Chain Risks

Partnership Integrates BitSight’s Security Ratings Capabilities With CyberGRX Third-Party Cyber Risk Exchange

Partnership Integrates BitSight’s Security Ratings Capabilities With CyberGRX Third-Party Cyber Risk Exchange

The iconic Target breach of 2013 brought attention to the threat from third-party suppliers — the supply chain. Target was breached after its HVAC supplier, Fazio Mechanical Services, had itself been breached and had the credentials for accessing its customer stolen.

This threat has become more difficult and more complex as digital transformation has increased and cloud service providers have boomed. A single enterprise can now use several thousand different cloud services. According to Gartner research, a large enterprise’s network of vendors, partners, contractors and customers all with access to the corporate network can easily run into the tens of thousands. Any one of these can potentially introduce an unseen risk.

Managing this risk manually is impossible to do effectively — and several specialist companies have evolved to provide various degrees of automation. SecurityScorecard and BitSight are two companies that provide analyses of third-party vendors by analyzing their external face.

CyberGRX (GRX stands for global risk exchange) takes a different approach — it provides a ‘risk exchange’ based on a storehouse of validated third party risk assessments. According to CEO Fred Kneip, the firm is the brainchild of Jay Leek — then at Blackstone. “Jay was thinking about the inefficiencies of third party risk management across his portfolio. In an ad-hoc survey of his portfolio companies, he found that 90 of his 115 portfolio companies were using the exact same vendor. Fifty of those were doing a full blown assessment of that vendor every year.”

CyberGRX is the result of that observation. Rather than do 50 risk assessments of one vendor, do one assessment and share it across fifty companies. Where CyberGRX differs from SecurityScorecard and BitSight is that its risk assessments are internal rather than external affairs — the former looks at processes and controls in relation to vulnerabilities, while the latter looks at the third-party’s internet face.

CyberGRX and BitSight have now recognized the potential synergy between the two approaches.

On Monday they announced a partnership. “BitSight is a leader of the security ratings market, and their ability to continuously rate the security performance of third parties from an outside-in perspective will strengthen the CyberGRX Exchange,” said Kneip. “Combining their proven non-intrusive approach to evaluating risk and security performance with the inside-out view our platform provides is a powerful proposition for customers: a comprehensive, continuous, 360-degree view of third-party cyber risk exposure.”

“Enterprises today require access to accurate, continuous and actionable information about third-party cyber risk,” added Jacob Olcott, VP of strategic partnerships at BitSight. “CyberGRX helps to solve that problem for companies across the world, and our security ratings provide the unique, objective data that organizations need to scale their third-party risk programs and make more informed business decisions.” 

CISOs now have somewhere to go to rate the risk associated with their supply chain without having to spend hours every day pouring over vendor-supplied spreadsheets or questionnaires; or ignoring the risk altogether through lack of time and manpower.

BitSight has raised more than $90 million in funding to-date, including $40 million in Series C financing in September 2016. Headquartered in Cambridge, Massachusetts, it was founded in 2011.

CyberGRX closed a $20M Series B funding round in April 2017. Headquartered in Denver, Colorado, it was founded in July 2016.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...


The overall effect of current global geopolitical conditions is that nation states have a greater incentive to target the ICS/OT of critical industries, while...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Risk Management

In this virtual summit, SecurityWeek brings together expert defenders to share best practices around reducing attack surfaces in modern computing.

Supply Chain Security

Oracle's Critical Patch Update for January 2023 includes 327 patches, with more than 70 that address critical-severity vulnerabilities.